Skip to content

feat(tests): add unit tests for validation functions in docker-contai…#3735

Merged
Siumauricio merged 3 commits intocanaryfrom
fix/Command-Injection-in-/docker-container-logs-Endpoint
Feb 18, 2026
Merged

feat(tests): add unit tests for validation functions in docker-contai…#3735
Siumauricio merged 3 commits intocanaryfrom
fix/Command-Injection-in-/docker-container-logs-Endpoint

Conversation

@Siumauricio
Copy link
Contributor

@Siumauricio Siumauricio commented Feb 18, 2026
edited by greptile-apps bot
Loading

…ner-logs

  • Introduced tests for isValidTail, isValidSince, isValidSearch, and isValidContainerId functions to ensure proper validation and security against command injection.
  • Updated docker-container-logs to utilize these validation functions, enhancing input handling for WebSocket connections.

What is this PR about?

Please describe in a short paragraph what this PR is about.

Checklist

Before submitting this PR, please make sure that:

  • You created a dedicated branch based on the canary branch.
  • You have read the suggestions in the CONTRIBUTING.md file https://github.com/Dokploy/dokploy/blob/canary/CONTRIBUTING.md#pull-request
  • You have tested this PR in your local instance. If you have not tested it yet, please do so before submitting. This helps avoid wasting maintainers' time reviewing code that has not been verified by you.

Issues related (if applicable)

Screenshots (if applicable)

Greptile Summary

Added validation functions and unit tests for docker container log parameters (tail, since, search, containerId) to prevent command injection attacks. However, the isValidSearch regex still allows critical shell metacharacters ($, `, ', (), and these parameters are directly embedded in shell commands executed via SSH and locally.

Critical security issues:

  • isValidSearch allows $, `, ', and ( which enable command substitution
  • Line 99 uses double quotes where $(cmd) and `cmd` execute
  • Line 153 uses single quotes where ' can break out of quoting
  • Test comment incorrectly claims search is not concatenated into shell commands

Other findings:

  • Good: isValidTail, isValidSince, and isValidContainerId validations are strong
  • Good: Comprehensive test coverage for non-search parameters
  • Good: Default values prevent null/undefined injection

Confidence Score: 0/5

  • This PR introduces a critical remote code execution vulnerability
  • The isValidSearch function allows shell metacharacters ($, `, ', () that enable command injection. These are directly exploitable in the SSH path (line 99, double quotes) and local path (line 153, single quotes) where user input is embedded in shell commands. An attacker can execute arbitrary commands by sending malicious search parameters.
  • Critical attention needed: apps/dokploy/server/wss/utils.ts and apps/dokploy/server/wss/docker-container-logs.ts contain exploitable command injection vulnerabilities

Last reviewed commit: 33c3a4e

@Siumauricio
feat(tests): add unit tests for validation functions in docker-contai…
3689a82 
…ner-logs

- Introduced tests for isValidTail, isValidSince, isValidSearch, and isValidContainerId functions to ensure proper validation and security against command injection.
- Updated docker-container-logs to utilize these validation functions, enhancing input handling for WebSocket connections.
greptile-apps[bot]
greptile-apps bot reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 files reviewed, 3 comments

Edit Code Review Agent Settings | Greptile

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 18, 2026

Additional Comments (2)

apps/dokploy/server/wss/docker-container-logs.ts
Shell injection vulnerability: single quotes can contain special chars that break out. The local execution path uses single quotes around ${search} but doesn't escape it, while the SSH path (line 99) properly escapes with double quotes. An attacker could inject commands using: ' ; whoami ; '

				const escapedSearch = search ? search.replace(/'/g, "'\\''") : "";
				const command = search
					? `${baseCommand} 2>&1 | grep -iF '${escapedSearch}'`
					: baseCommand;

apps/dokploy/server/wss/docker-container-logs.ts
Shell injection risk: double quotes don't fully protect against command substitution. A search string like $(whoami) or `whoami` will still execute. The -F flag helps but the validation should prevent backticks and $() entirely, or use single quotes with proper escaping (like line 153 should do).

						const command = search
							? `${baseCommand} 2>&1 | grep --line-buffered -iF '${escapedSearch.replace(/'/g, "'\\''")}'`
							: baseCommand;

@Siumauricio
fix(validation): enhance isValidSearch function to restrict allowed c…
33c3a4e 
…haracters

- Updated the regex in the isValidSearch function to limit valid characters, improving input validation and security against potential injection attacks.
@Siumauricio
Copy link
Contributor Author

Siumauricio commented Feb 18, 2026

@greptile review

greptile-apps[bot]
greptile-apps bot reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 files reviewed, 3 comments

Edit Code Review Agent Settings | Greptile

apps/dokploy/server/wss/utils.ts Outdated
Comment on lines 43 to 46
Copy link
Contributor

@greptile-apps greptile-apps bot Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical: allows $, `, ', and ( which enable command injection. Since search is inserted into shell commands (line 99 uses double quotes where $ and ` execute; line 153 uses single quotes where ' breaks out), this creates a remote code execution vulnerability.

Suggested change
export const isValidSearch = (search: string): boolean => {
return /^[\x20-\x21\x23-\x25\x27-\x28\x2A-\x3A\x3D\x3F-\x5B\x5D-\x7B\x7D-\x7E]{0,500}$/.test(
search,
);
export const isValidSearch = (search: string): boolean => {
return /^[a-zA-Z0-9\s._-]{0,500}$/.test(search);
};

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 18, 2026

Additional Comments (1)

apps/dokploy/server/wss/docker-container-logs.ts
Command injection via $ and ` in double quotes. Even with single-quote escaping, ${escapedSearch} in double quotes allows $(whoami) or `whoami` execution.

				const escapedSearch = search ? search.replace(/'/g, "'\\''") : "";
				const command = search
					? `${baseCommand} 2>&1 | grep --line-buffered -iF '${escapedSearch}'`
					: baseCommand;

@Siumauricio
refactor(validation): update isValidSearch to prevent command injection
9880c71 
- Enhanced the isValidSearch function to restrict allowed characters to alphanumeric, space, dot, underscore, and hyphen, preventing command injection vulnerabilities.
- Updated unit tests to reflect the new validation rules and ensure comprehensive coverage against potential injection attacks.
@Siumauricio Siumauricio merged commit 1d5ab71 into canary Feb 18, 2026
4 checks passed
@Siumauricio Siumauricio deleted the fix/Command-Injection-in-/docker-container-logs-Endpoint branch February 18, 2026 00:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Siumauricio

Comments